4
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. I, JANUARY 2000
m
Binary -Sequences with Three-Valued Crosscorrelation: A Proof of Welch’s Conjecture Anne Canteaut, Pascale Charpin, and Hans Dobbertin
Abstract—We prove the long-standing conjecture of Welch = 2 + 1, the power function stating that for odd with = 2 + 3 is maximally nonlinear on GF (2 ) or, in other terms, that the crosscorrelation function between a binary maximum-length linear shift register sequences of degree and a decimation of that sequence by 2 + 3 takes on precisely the three values 1 1 2 +1 . Index Terms—Almost perfect nonlinear mappings, crosscorrelation, maximally nonlinear mappings, McEliece’s theorem, power functions, Walsh transform, Welch’s conjecture.
I. INTRODUCTION AND PRELIMINARIES
I
N his 1968 paper [7], S. W. Golomb mentioned a conjecture of Welch concerning the crosscorrelation function of binary -sequences (see also Niho’s thesis [11] of 1972). Since that time, crosscorrelation functions have been studied intensively, but Welch’s conjecture remained open. A weakened version was recently verified by the third author [5]. Based on this prework we shall finally confirm the Welch conjecture in the present paper. Applying McEliece’s powerful theorem on divisible codes we can reduce the problem to an inequality for the Hamming weights of cyclotomic numbers, which actually holds as is demonstrated in the next section. GF be the finite field with elements, where Let is odd. A mapping from to is called almost perfect nonlinear (APN) if each equation (1) has at most two (and therefore either none or precisely two) solutions in . We note that an APN power function is necessarily one-to-one for odd , as can be seen easily. Being APN is a “differential” property. Nevertheless, for odd it is closely related to another extremal kind of nonlinearity which refers to the Hamming distance to linear mappings. The of a basic tool for the latter aspect is the Walsh transform GF , which is defined as Boolean function :
Manuscript received August 31, 1998; revised June 23, 1999. This work was supported in part by the Katholieke Universiteit Leuven, Belgium. This work was performed while H. Dobbertin was with the Katholieke Universiteit Leuven, ESAT-COSIC, B-3001 Heverlee, Belgium A. Canteaut and P. Charpin are with INRIA-Rocquencourt, Domaine de Voluceau, B.P. 105, F-78153 Le Chesnay Cedex, France (e-mail: {Anne.Canteaut; Pascale.Charpin}@inria.fr). H. Dobbertin is with the German Information Security Agency, Bonn, Germany (e-mail:
[email protected]). Communicated by S. W. Golomb, Associate Editor for Sequences. Publisher Item Identifier S 0018-9448(00)00361-8.
Here denotes the canonical additive charare said to be the Walsh coefficients acter on GF . The is “large” then the linear mapping of . If (if ) or its complement (if ) has a “small” Hamming distance to , or in other words, is a “good” approximation for . Thus a quantitative measure for the linearity of is given by , occurring in the the maximal absolute value, denoted by Walsh spectrum of The Walsh transform of : is defined as the collection of all Walsh transforms of component functions of , i.e., map, . We denote by pings of the form the set of all values occurring in the Walsh spectrum of , and set Those attaining the minimal possible value for are called maximally nonlinear. This minimum is known to be for . From Chabaud and Vaudenay [4, p. 363], we conclude. is maximally nonlinear if and only if Theorem 1: . Moreover, if is maximally nonlinear then APN.
is
with On the other hand, if we take then the Walsh spectrum of allows us to determine the set of the values of the crosscorrelation function between the following two -sequences (maximum-length linear shift register ) and ( ) with sequences): ( and , and where is a primitive root of . In 1968, Welch conjectured that the power function for the Welch exponent is maximally nonlinear or, in other terms, that the crosscorrelation function between a binary maximum-length linear shift register sequence of degree and a decimation of that sequence takes on precisely the three values . by For this time, Welch’s conjecture has been verified numerically for many values of . Note that there are few classes of power functions that are maximally nonlinear. The most recent results are listed in [2]. with Definition 1: The power functions , odd, are called the Welch power functions. A major step toward confirming Welch’s conjecture is the following theorem proven in [5].
0018–9448/00$10.00 © 2000 IEEE
CANTEAUT et al.: BINARY
-SEQUENCES WITH THREE-VALUED CROSSCORRELATION
Theorem 2: Welch power functions are APN. As mentioned above, the APN property is implied by maximal nonlinearity. Conversely, as we shall demonstrate below, the APN property plus the condition that all Walsh coefficients are divisible by implies maximal nonlinearity. of We note that there is also another way to prove this fact, namely, by using Kasami’s method—we will indicate it in the Appendix at the end of the paper. This method is based on classical results in coding theory which make it possible to prove that under certain hypotheses the Walsh spectrum is unique. In our context these hypotheses are exactly the APN property and the divisibility condition for the Walsh coefficients. It is well known (see, for instance, [8]) that if is APN then the sum of fourth powers of all Walsh coefficients of has precisely the value, namely, , which appears in case of maximal nonlinearity, where the Walsh spectrum con. For the reader’s convenience we sists precisely of include a proof.1 We have
5
by using (2), for and Now or else
and any pair .
, and next substituting holds iff either
(3) ). In accordance with (1), if (by dividing all terms by is APN then (3) is impossible for four different terms. If is APN then the latter means either or . Thus there pairs satisfying the above are precisely or or . We conclude by using (2) equation : that
Similarly we can derive
which altogether gives as claimed
We now apply a very common argument. If then , , runs through all elements of , and, therefore, if if
. (2)
Lemma 1: If for an APN power function all Walsh coefare divisible by , then is maximally ficients of nonlinear. , , Proof: Assume that is a sequence listing all absolute values of nonzero coefficients , where and occurring in the spectrum of for . Suppose that occurs precisely times. Let be APN. Then as shown above
We can proceed as follows: By Parseval’s equation we have
Consequently,
i.e.,
Since
for
, all
(
) must vanish.
For an arbitrary integer we denote by the Hamming weight of the binary representation of and define 1We note that, transferred into a coding theory context, power sums of Walsh coefficients correspond to Pless power moments[12].
where
is the remainder of
modulo
.
6
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. I, JANUARY 2000
McEliece’s famous theorem on divisible codes (see [10]) states, transferred into the present context, that Theorem 3: All Walsh coefficients of if and only if for all nonzero by
(recall that
are divisible
iii) If with
and we have: then there is some nonzero
or there is some nonzero
).
II. PROOF OF WELCH’S CONJECTURE: THE MISSING LINK In the sequel we identify integers with their binary represendenote the Welch exponent. According tation. Let to Theorem 2, Lemma 1, and Theorem 3 we have to show that for all nonzero , which is obviously equivalent to (4) since assume that
For 7-bit strings
and
,
with
. . Let
Lemma 3: Let
be bit strings of length , i.e., integers smaller that i) Then
.
for nonzero . Of course, we can . We represent in the form
where we assume without loss of generality and . In fact, there exists a pair of positions such that , since otherwise . By a cyclic shift, or in other terms, cyclotomic equivalence, let . We conclude (5) Our proof makes use of the evident fact that for arbitrary integers , we have
with equality iff and are disjoint, in the sense that for all . The same rule holds for if In view of (5) we shall study the following function arbitrary integers (finite bit strings) ,
and ii) If
and iii) If
and
,
implies then
implies , and implies
,
.
. ,
, then , and
. we checked the lemma by direct compuProof: For we proceed by inductations (with computer help). For tion as follows. Given , we have by Lemma 2 i) that there with . is some We will use the inequality
or . for
(6) and the notations
Note that Proof of i): To show apply (6) and the induction hypothesis since and We have checked the following lemma with a computer.
, it is sufficient to
.
Lemma 2: Let Suppose now that
and be bit strings of length , i.e., integers smaller than such that i) Then there is some nonzero
ii) If that
then there is some nonzero
. This implies clearly . The first (by the induction hy, the second one implies (Lemma 2-iii)). We then deduce that and
.
, such
equality implies that pothesis) and, if that . Proof of ii): We similarly have
CANTEAUT et al.: BINARY
-SEQUENCES WITH THREE-VALUED CROSSCORRELATION
We now assume that distinguish two cases:
and
and we
and . Thus where —by inand have only bits. duction since we apply Lemma 2 ii): we can choose , • If , such that Since by induction hypothesis, we obtain
• If
7
Using that
, we deduce that
then
From Lemma 3 ii) we also have that is odd. Then that , then get that, if
, or, equivalently, . We finally
Case 2.
In both cases we state a contradiction; so . with Proof of iii: Assume that and . . If We first prove that there exists such that and . If , the first equality imby induction hypothesis. This also plies that , since holds when . According to Lemma 2 iii), and can only occur when . . We now prove that our hypothesis implies then Indeed, since : if this holds by induction hypothesis, and if , . We then obtain:
and : In this case, and . By applying Lemma 3 iii), . Suppose now that we obtain that . Lemma 3 iii) implies that and . , its most significant bit is . By writing Since
we get
where
comes from the fact that
is odd since and Case 3.
. : In this case,
Since , either Case 1 or Case 2 can be applied to . We then deduce that Therefore, either as desired or for some with The latter is impossible. In fact, otherwise,
.
Case 4. and : If . i) gives that , we have If Lemma 3 ii) then implies that
, Lemma 3 and
.
.
To summarize, we can state the following theorem, which was originally conjectured by Welch in 1968.
On the other hand,
if is even and if
Recently, the third author has shown that Niho power functions ,
is odd. Hence
We then obtain a contradiction if . For ment was verified by computer assistance.
Theorem 4: Welch power functions are maximally nonlinear.
the state-
We are now prepared to confirm (4). and : In this Case 1. and . By applying Lemma 3 ii), we case, . Suppose now that obtain that . Since , we have
where the right-hand term of this equality is positive, and
with are APN. Niho [11] conjectured that they are even maximally nonlinear. We suspect that our methods, with somewhat more technical effort, could also be applied to confirm Niho’s conjecture.
APPENDIX THE CODING POINT OF VIEW Consider binary cyclic codes of length , , and whose generator polynomial is the product of two minimal polynomials. More precisely, let be a primitive root of
8
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. I, JANUARY 2000
GF
and denote by the minimal polynomial of , . Let us denote by the binary cyclic code , for all . whose generator is the product , is a Assuming that code whose minimum distance is in . is APN if and It was shown in [3] that the power function . This function is maximally nonlinear on if and only if , has three nonzero weights only, only if the dual of , say and . Moreover, it is known that if which are satisfies this last condition then its weight enumerator is unique and is the same as the weight enumerator of the dual of the twoerror-correcting Bose–Chaudhuri–Hocquenghem (BCH) code. The tools introduced by Kasami [9] for his proof can be used for proving Lemma 1—that we rewrite below for codes . has only three weights, Proposition 1: The code and , if and only if and each weight of is . divisible by Proof: We present a sketch of proof only; a full explanation, in a more general context, will be given in a forthcoming paper [2]. and ) (respectively, Let ) be the weight enumerator of the code (re). The proof is based on the study of numbers spectively, , for some . We have for any even
where is the minimal weight of . By using the four first power moments of weight enumerator [12], we obtain and
We deduce two expressions of )
(where
Note that the th term above is less than or equal to zero if and or . only if satisfies: if and only if , i.e., . On the First other hand, there is no negative term in the first expression of
when all weights when the weights of is easily completed.
of are divisible by are only and
. Since , the proof
Remark: A maximally nonlinear power function is usually said to be almost bent (AB) in a cryptographic context. Such a function opposes an optimum resistance to both linear and differential cryptanalysis. An extensive study of APN and AB properties was recently made by Carlet, Charpin, and Zinoviev in [3]. ACKNOWLEDGMENT The authors wish to thank C. Carlet, T. Helleseth, E. SchulteGeers, F. Levy-dit-Vehel, and V. Zinoviev for helpful discussions and hints. They would also like to thank the members of the Research Group ESAT-COSIC, especially Prof. B. Preneel, for their hospitality. REFERENCES [1] A. Canteaut, P. Charpin, and H. Dobbertin, “Couples de suites binaires de longueur maximale ayant une corrélation croisée à trois valeurs: Conjecture de Welch,” C.R. Acad. Sci. Paris, ser. 1, vol. 328, pp. 173–178, 1999. [2] , “Divisibility of cyclic codes and highly nonlinear functions on F ,” SIAM J. Discr. Math, to be published. [3] C. Carlet, P. Charpin, and V. Zinoviev, “Codes, bent functions and permutations suitable for DES-like cryptosystems,” Des., Codes Cryptogr., vol. 15, pp. 125–156, 1998. [4] F. Chabaud and S. Vaudenay, “Links between differential and linear cryptanalysis,” in Advances in Cryptology—EUROCRYPT’94. ser. Lecture Notes in Computer Science, vol. 950, A. De Santis, Ed. New York, NY: Springer-Verlag, 1995, pp. 356–365. [5] H. Dobbertin, “Almost perfect nonlinear power functions on GF (2 ): The Welch case,” IEEE Trans. Inform. Theory, vol. 45, pp. 1271–1275, May 1999. [6] , “Almost perfect nonlinear power functions on GF (2 ): The Niho case,” Inform. Comput., to be published. [7] S. W. Golomb, “Theory of transformation groups of polynomials over GF (2) with applications to linear shift register sequences,” Inform. Sci., vol. 1, pp. 87–109, 1968. [8] T. Helleseth, “Some results about the cross-correlation function between two maximal linear sequences,” Discr. Math., vol. 16, pp. 209–232, 1976. [9] T. Kasami, “Weight distributions of Bose–Chaudhuri–Hocquenghem codes,” in Combinatorial Mathematics and Applications, R. C. Bose and T. A. Dowlings, Eds. Chapel Hill, NC: Univ. North Carolina Press, 1969, ch. 20. [10] R. J. McEliece, “Weight congruence for p-ary cyclic codes,” Discr. Math., vol. 3, pp. 177–192, 1972. [11] Y. Niho, “Multi-valued cross-correlation functions between two maximal linear recursive sequences,” Ph.D. dissertation, Dept. Elec. Eng., Univ. Southern California, Los Angeles, CA, 1972. [12] V. Pless, “Power moment identities on weight distributions in error-correcting codes,” Inform. Contr., vol. 6, pp. 147–152, 1963.
